Tag Archives: 12.04

For a more secure terminal (SSH) environment, you can add a second factor to authenticate a user. I personally run Ubuntu and i implemented the Google Authenticator on my Ubuntu system using the Google Authenticator Library of Google in combination with my iPhone with the Google Authenticator App.

For a more secure terminal (SSH) environment, you can add a second factor to authenticate a user. I personally run Ubuntu and i implemented the Google Authenticator on my Ubuntu system using the Authenticator Library of Google in combination with my iPhone with the Google Authenticator App. Implementation is quite simple, simply follow the instructions down below and make sure that you store the generated emergency keys somewhere safe!!

1. Login to your system running Ubuntu as the user you want to authenticate with a second factor. Make sure this user has sufficient sudo rights.

2. Install the Google Authenticator library

user@server:~$ sudo apt-get install libpam-google-authenticator

3. After installing run the Google Authentication binary

user@server:~$ google-authenticator

A QR-code is generated together with a secret key ad several emergency keys. Make sure you store these keys somewhere safe!!

5. Answer the following questions the way you prefer it for your system

Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

6. Edit /etc/pam.d/sshd to activate the Google Authenticator while logging in through SSH